Qualys Blog

494 posts

RSA USA 2011 Presentation on Browser Security

We have just finished the first analysis on the data gathered by our BrowserCheck application and published our findings at the RSA USA 2011 conference.

An overwhelming majority of browsers is susceptible to well-known exploits that are widely available and in use in the crimeware and botnet community.

Take a look at the attached presentation (RSA 2011 SPO1-204 Session) to see the detailed and surprising results on the number of vulnerable browsers in the world, geographic distribution and the influence of browser plug-ins on overall security.

Patch Tuesday Bottomline – February 2011

Big news today: We have an industry first – HP/TippingPoint’s Zero Day Initiative (ZDI), a vulnerability broker, opens 22 new 0-day vulnerabilities in accordance with their recently changed disclosure policy. We will be watching to see how quickly the vendors, including CA, EMC, HP and IBM, will react. Also, Adobe and Mozilla both release new versions of their flagship products – Adobe Reader/Acrobat and Firefox, and Microsoft provides fixes in 12 security updates.

Microsoft’s February Patch Tuesday addresses vulnerabilities in Windows (all versions), Office (only Visio) and Internet Explorer and includes patches that address three major outstanding 0-day vulnerabilities: Internet Explorer "css.css", Windows "thumbnail" and the possible remote code execution on IIS through the FTP service. MS11-003 for Internet Explorer, MS11-006 for Windows "thumbnail" and MS11-004 for the IIS vulnerability are on the top of our lists of recommended patches. The Internet Explorer flaw has seen an increased number of attacks recently and its fix should be the highest priority. While MS11-004 is currently classified as a DOS vulnerability only, security researchers have been working on a way to get to remote code execution.

MS11-007 is the third critical vulnerability in this month’s lineup and addresses a flaw in the OpenType library. Since OpenType is not used in Internet Explorer, this important attack vector is closed off, forcing more complicated delivery schemes to be used – via zipped folders for example, similar to this attack on MS11-006. However, as 3rd party browsers can possibly be used in the exploitation of this flaw, we recommend including this patch in the high priority queue.

While three 0-days have been addressed, ZDI added yesterday an additional five 0-days four in Microsoft Excel and one in Powerpoint. These vulnerabilities were made public before the patches were actually available because the advisory had been in the vendor’s hand for longer than 180 days. Microsoft is not the only company affected: ZDI has one 0-day each for EMC, Novell, CA, SCO (good luck there), eight for IBM in Domino and Lotus Notes and even four 0-days for ZDI’s parent company HP (for example http://www.zerodayinitiative.com/advisories/ZDI-11-057)

In addition to all of these news we are expecting Adobe to ship a new version of Reader X and Mozilla to get us a new version of Firefox – both have automatic updaters built-in, which should accelerate the roll-out in most of the environments where these very recent software packages are already in use.

On an interesting note Microsoft decided to publish KB967940 in Windows Update to increase its likelihood of installation. KB967940 has been available as an optional download for over a year and backports the "autorun" behavior from Windows 7 to Windows XP and 2003. Microsoft expects a positive impact on worm containment as explained in detail on the MMPC blog

Patch Tuesday – Preview February 2011 – Update

Adobe will also use this patch Tuesday to ship an update for Adobe Reader X. Adobe Reader X is the most recent version of Adobe Reader and has incorporated sandbox technology to provide additional hardening against attacks. Security Advisory APSB11-03 warns of several critical flaws in the the new product. They will be addressed on February 8 for Windows and Mac OS X, later on February 28 for Unix users.

See also: Ryan Naraine on ZDNet Zero day

Microsoft announced 12 bulletins today for February’s Patch Tuesday. Three of the bulletins are critical and include updates to address the recently disclosed flaws in Internet Explorer "css.css" – Microsoft Security Advisory 2488013 and Windows "thumbnail preview" – Microsoft Security Advisory 2490606. These vulnerabilities have seen limited exploits in the wild, so applying the update is highly recommended.

In addition the lower rated flaw in the FTP service is addressed with an update to the IIS server.

The remaining updates address flaws in Windows, Office and the development platform Visual Studio. All versions of Windows starting with Windows XP SP3 up to the latest versions Windows 7 and Windows Server 2008 R2. The Office bulletin, however is limited to a relatively small footprint: the Visio versions 2002, 2003 and 2007.

The recent MHTML issue in Windows/Internet Explorer will not be addressed in this update. The workaround suggested by Microsoft in Advisory 2501696 continues to be the recommended way of mitigating this attack vector.